MyUSA Authentication

[mbland]

In order to potentially pitch the Hub to groups that don't use Google-managed domains, we need to investigate how we could potentially use MyUSA for Hub authentication.

cc: @yozlet @afeld @dlapiduz @cpapazian

[afeld]

Sounds like https://github.com/bitly/google_auth_proxy might need to be forked... myusa_auth_proxy FTW!

[cpapazian]

@afeld not sure i follow.

[cpapazian]

@mbland MyUSA does not require an OAuth integration. We have a passwordless authentication workflow that sends a single-use token to your email address.

[dlapiduz]

@cpapazian google_auth_proxy is an app that only lets traffic through if you are authenticated with google apps. I believe @afeld is saying that we should fork it and use MyUSA instead of G+. :100: :+1:

[afeld]

'zactly. More info: https://github.com/18F/hub/blob/master/deploy/README.md#google-auth-proxy

[afeld]

Should also note that @GUI doesn't have access to our private Hub at the moment, because he doesn't have a GSA.gov email.

[mbland]

Ask, and ye shall receive! Behold: the changes needed to adapt the google_auth_proxy to MyUSA. You can try it out here: https://hub.18f.us/myusa/

Next steps:

• [ ] Q: Should we rename the fork and keep it MyUSA specific, or try to genericize and commit upstream?
• [ ] Either get all 18Fers and guests onto MyUSA, or update the g_a_p to perform multiple authentication methods. (Or both.)

[jackiekazil]

/cc @adelevie

[dlapiduz]

@mbland this is great!

I would fork it, rename and do MyUSA specific indeed. I think that the point of the g_a_p is to keep things extremely simple.

IMHO we should have everyone in MyUSA. Dogfooding FTW

[adelevie]

I agree with @dlapiduz. g_a_p isn't a Golang flavor of Omniauth or Passport. It does one thing, simply. Same should apply to a MyUSA variant.

Also, to increase the :dog: :food: factor, I stood up a MyUSA OAuth-consuming Sinatra app on our Cloud Foundry. Demo: http://adelevie-myusa-consumer.cf.18f.us/, Source: https://github.com/18F/omniauth-myusa/pull/8/files

[GUI]

@mbland: Thanks for tackling this! Should this MyUSA login be functional yet? Or is this still in progress? I just tried logging in via this, and got a Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method error:

Or is this just me? I am the odd one that only has an @nrel.gov e-mail address, so maybe it's just my account that doesn't have access?

[mbland]

Ah, that's because the Hub isn't "public" yet. @adelevie could you set that up for me? (And for yourself; I got that same error for your app. ;-)

[mbland]

FYI: I did just open bitly/google_auth_proxy#65 to at least ask the authors' preference (as well as bitly/google_auth_proxy#66 to fix a bug I found).

[mbland]

@yozlet @adelevie @jackiekazil Regardless of the google_auth_proxy development direction, what would y'all recommend as a strategy for getting 18F members (and everyone else in GSA currently in the guest users file) signed onto MyUSA? Should we just ask them all to register on https://alpha.my.usa.gov/ by a deadline? (Say, Friday, April 17? ;-)

Also, should we start making MyUSA registration part of the onboarding process?

[adelevie]

I'll defer to @jackiekazil or anyone else on the MyUSA team if they think otherwise, but I'd hold off for now on corralling folks into MyUSA just yet. I'm still learning a lot as I onboard onto the project and I don't to overextend.

[mbland]

This definitely doesn't need to happen right away, @adelevie. Just wanted to put the question on the table, especially if we want to perhaps fold it into Fixit Day on April 17.

[jackiekazil]

@mbland give me a couple of days to get you an answer I need to find concrete answers on a couple of things first. Please prompt me if I don't get back to you. ;-)

It should be noted too, that myusa will be open to public. I wonder how/if Midas is doing gov employee only restrictions? /cc @ultrasaurus

[adelevie]

Maybe https://github.com/benbalter/gman?